Software providers beware: They are now liable for defective products
The new Product Liability Directive imposes stricter requirements on software manufacturers. And not only them: many other players are now also liable.
(Image: iX)
- Christina Kiefer
The digitalization of products raises new liability issues. The existing Product Liability Directive 85/374/EEC of 1985 does not fully take into account the specific risks of digital products. For example, it lacked sufficiently clear rules on liability for software or products with software components. On September 28, 2022, the European Commission therefore presented a draft for a new version of the Product Liability Directive (Product Liability Directive), which was adopted by the Council on October 10, 2024. The Product Liability Directive will completely replace the existing directive.
The core of the Product Liability Directive remains a claim for damages for defective products. The legal situation has been tightened for software manufacturers in particular: while it was previously disputed whether software constituted a product in terms of product liability, the Product Liability Directive now expressly provides for liability for stand-alone software as well. Other changes include the definition of a defect, compensable damage and the allocation of the burden of proof.
Extension of the scope of application
The Product Liability Directive extends the scope of application compared to its predecessor. In addition to movable property and the raw material electricity, it now also covers digital design documents and software. It is irrelevant whether the software is installed on a device or provided as software-as-a-service. In the event of defects in integrated software, the software manufacturer is also liable as the manufacturer of a so-called component in addition to the end manufacturer of the final product. Connected services such as voice assistants are also considered components if they have been integrated into the product under the manufacturer's control.
There is an exemption for open source software, among other things: in order not to hinder innovation and research, free and open source software that is developed and offered outside of a commercial activity is exempt from liability, although the scope of this exemption is currently being discussed – similar to the exemption in the Cyber Resilience Act (CRA) –. As a result, the Product Liability Directive leads to extensive liability of the (software) manufacturer for defective products – regardless of whether the manufacturer has a direct contractual relationship with the injured party.
A product is defective if it does not meet legitimate safety expectations. The Product Liability Directive provides new criteria for the assessment of defectiveness. For example, the product's ability to learn or its foreseeable use together with other products must be taken into account. A lack of cyber security and therefore a breach of the new CRA, among other things, can now also constitute a product defect. Liability for defective products has also been extended in terms of time. According to the Product Liability Directive, the manufacturer is no longer only liable up to the point at which the product reaches the user. The decisive factor is when the product leaves the "control of the manufacturer". However, as long as the manufacturer is able to provide software updates, he continues to exercise control and can be held liable for any defects that occur.
Extension of the liable economic operators
As before, the manufacturer and quasi-manufacturer of the product or component are the primary addressees of liability. If the manufacturer is not based within the EU, the importer and the manufacturer's authorized representative are liable and, if there is neither an importer nor an authorized representative, the fulfillment service provider. If these are not available either, suppliers and providers of online platforms can be held liable.
The claim for damages expressly covers all financial losses and also extends to immaterial damages, insofar as these are eligible for compensation under national law. The destruction of or damage to data that is not used for professional purposes is now also recognized as damage. Medically recognized impairment of mental health is now also considered personal injury. For damage to property other than the defective product itself, the previous excess of 500 euros no longer applies. The previous maximum liability limit of 85 million euros for damage caused by death or bodily injury has also been removed, which is a relief for the injured parties and an increase in liability for the liable economic operators.
In view of the difficulties in proving product defects or their causality for damage, the Product Liability Directive provides for procedural simplifications. If the plaintiff has presented facts and evidence that make a claim appear plausible, the court can oblige the defendant to disclose evidence. The defectiveness of the product is presumed if the injured party proves that the product does not comply with the statutory product safety requirements. The same applies if the defendant has not fulfilled its obligation to disclose relevant evidence.
Conclusion
Once the Product Liability Directive comes into force, the member states are obliged to implement it within two years. As non-compliance with the statutory safety requirements is presumed to be a product defect, manufacturers should use the time to implement the new statutory safety requirements , such as those of the CRA, in order to avoid liability risks. Particularly in the case of products with digital elements and software, it should be noted that placing the product on the market does not represent a caesura after which responsibility ends. Rather, manufacturers must take measures such as security updates to ensure that the products remain error-free. However, other market participants, such as importers, should also check whether they can be held liable.
(olb)